Encrypt Querystring parameters.

Encrypt Querystring parameters.

Hi All,
Can someone give me any idea for encrypting Querystring parameter in my url.

Please take a look at this component:

You will find Encrypt and Decrypt actions.

Hope it helps you.
Best regards.
Daniel Martins


I would NOT recommend using ardoCrypto for this.

I needed to encrypt query string params and i used ardoCrypto but it was so slow i had to drop it.

I use the Crypto extension with good performance. You can find it in the Enterprise Manager
key derivation in ardoCrypto may take some time (it does 30k something hashes), but if you save the derived key, encryption and decryption should be quick (there are actions for this).

I don't recommend using Enterprise Manager's Crypto as it is not as secure :)

Edit: please note that key derivation taking a long time is a feature. It's one of the protections against brute force attacks.
Thank you for the explanation Ricardo.
Pramod, I would give it definitely a try!

Best regards.
Daniel Martins
Why not just use SSL? That encrypts the entire HTTP request, including the query string.

Justin: I think they are referring to the parameters in the URL being human readable (adjustable) & not the transport layer between the client & server.

Pramod: you can always call the screen from an action and not from a link. That way the parameters are passed internally to the next screen and it is not visible on the URL. Only problem I have found is that if you are hot deploying/uploading the new espace(s) whilst users are using the site, those parameters will be lost as the state is not preserved with the deployment of the new version of your espace(s).

Cheers, Mark
Mark -

That requirement doesn't make sense to me. Either you are sending the browser all the information needed to decrypt it anyways, so it isn't actually *secure* or the browser never decrypts it which means that there is no reason to do this in the first place.

If the goal is simply "I don't want my users to see a piece of data in the address bar of their browser but I don't care if they can actually get the data" then yes, the right answer is "call an action" or "use Submit or Ajax Submit, not Navigate".

If the goal is "security on the wire" than the answer is "use SSL".

If the goal is "I don't want the end users to have any access to this data at all" then the answer is "rearchitect what you are doing so that the data is not sent to the browser in the first place".



There is an brand new component on the forge (urlencryption).
That worths a try!

Best regards.
Daniel Martins
Hi Guys,

Like Daniel mentioned there's a new component that might help here. If you have the chance to try it and give some feedback it would be great.